Issue 321 in webp: integer overflow in utils.c debug code

[jz… via monorail]

Updates:
Cc: pascal.m...@gmail.com
Labels: -Security -Restrict-View-Security
Summary: integer overflow in utils.c debug code

Comment #1 on issue 321 by jz...@google.com: integer overflow in utils.c debug code
https://bugs.chromium.org/p/webp/issues/detail?id=321#c1

Thanks for the report. I don't believe this is a security issue.

The first failure is an allocation failure in ASan, webp behaves as expected with ASAN_OPTIONS=allocator_may_return_null=1, 32-bit non-ASan builds and in 64-bit builds with this file.

The overflow reported is in debug code, but should be given a look.

--
You received this message because:
1. The project was configured to send all issue notifications to this address

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

[pascal.m… via monorail]

Updates:
Status: Accepted

Comment #2 on issue 321 by pascal.m...@gmail.com: integer overflow in utils.c debug code
https://bugs.chromium.org/p/webp/issues/detail?id=321#c2

Thanks for the report, https://chromium-review.googlesource.com/#/c/419017/ should take care of this.

This overflow has no real incidence since this is testing code: you don't get a malloc failure, but the rest of the library is able to keep on going nevertheless.
The only downside of the overflow is that one may miss an artificial malloc failure while testing/debugging a particular problem.

[bugdro… via monorail]

Comment #3 on issue 321 by bugd...@chromium.org: integer overflow in utils.c debug code
https://bugs.chromium.org/p/webp/issues/detail?id=321#c3

The following revision refers to this bug:
https://chromium.googlesource.com/webm/libwebp/+/76bbcf2ed61d326bae3e37e1941e2a8674840462

commit 76bbcf2ed61d326bae3e37e1941e2a8674840462
Author: Pascal Massimino
Date: Mon Dec 12 21:40:40 2016

fix a potential overflow with MALLOC_LIMIT

BUG=webp:321

Change-Id: Iab89dfe167fb394fcdffd3b2732d4ac9bef764b0

[modify] https://crrev.com/76bbcf2ed61d326bae3e37e1941e2a8674840462/src/utils/utils.c

[bugdro… via monorail]

Updates:
Labels: merge-merged-0.5.2

Comment #4 on issue 321 by bugd...@chromium.org: integer overflow in utils.c debug code
https://bugs.chromium.org/p/webp/issues/detail?id=321#c4

The following revision refers to this bug:

https://chromium.googlesource.com/webm/libwebp/+/df780e0eac76e1f99a3efb8118551301b29cb9cb

commit df780e0eac76e1f99a3efb8118551301b29cb9cb

Author: Pascal Massimino
Date: Mon Dec 12 21:40:40 2016

fix a potential overflow with MALLOC_LIMIT

BUG=webp:321

Change-Id: Iab89dfe167fb394fcdffd3b2732d4ac9bef764b0

(cherry picked from commit 76bbcf2ed61d326bae3e37e1941e2a8674840462)

[modify] https://crrev.com/df780e0eac76e1f99a3efb8118551301b29cb9cb/src/utils/utils.c

[seuk… via monorail]

Comment #5 on issue 321 by seuk...@gmail.com: integer overflow in utils.c debug code
https://bugs.chromium.org/p/webp/issues/detail?id=321#c5

Can I request a CVE for libwebp? I think this bug doesn't affect chrome and android.

[jz… via monorail]

Comment #6 on issue 321 by jz...@google.com: integer overflow in utils.c debug code
https://bugs.chromium.org/p/webp/issues/detail?id=321#c6

I'm not really sure this is worthy of one, being in test/debug code that has to manually be enabled.

[pascal.m… via monorail]

Updates:
Status: Verified

Comment #7 on issue 321 by pascal.m...@gmail.com: integer overflow in utils.c debug code
https://bugs.chromium.org/p/webp/issues/detail?id=321#c7

indeed, this code was never compiled in any released version.